The threat actors behind the exploitation of vulnerable Craft Content Management System (CMS) instances have shifted their tactics to target Docker instances that were misunderstood as Magento CMS.
This activity is attributed to threat actors tracked as MIMO (also known as HEZB). It has a long history of leveraging N-DAY security flaws in various web applications to deploy cryptocurrency miners.
“While MIMO’s main motivation is continuing to be financially through cryptocurrency mining and bandwidth monetization, recent refinement of operations suggests potential preparation for more advantageous criminal activity,” DataDog Security Labs said in a report released this week.
CVE-2025-32432 MIMO exploitation, craft CMS critical security flaws, critical security flaws for crypto jacking and proxy jacking were documented by Sekoia in May 2025.
The newly observed attack chain associated with threat actors includes the abuse of an undecided PHP-FPM vulnerability in the installation of Magento e-Commerce to obtain initial access and use it to drop GSocket, a legitimate open source penetration testing tool, to establish permanent access to the host by reverse-shell hosts.
“The initial access vector is PHP-FPM command injection via the Magento CMS plugin, indicating that MIMO has multiple exploit capabilities beyond previously observed adversarial commerce,” said researchers Ryan Simon, Greg Foss, and Matt Muir.
To avoid detection, GSocket binaries pose as legitimate or kernel-managed threads and merge with other processes that may run on the system.
Another notable technique employed by attackers is to use in-memory payloads using MEMFD_CREATE() to invoke an ELF binary loader called “4L4MD4R” without leaving traces in the DISK. The loader is responsible for deploying iProyal Proxyware and Xmrig Miner on machines that compromised, not before modifying the “/etc/ld.so.preload” file.
The distribution of miners and proxyware highlights two broad approaches adopted by MIMO to maximize financial profits. A clear revenue generation stream ensures that the CPU resources of the compromised machine are hijacked to mine cryptocurrency, while the victim’s unused internet bandwidth is monetized for illegal housing delegation services.
“Using proxyware that normally consumes minimal CPU allows stealth operations to prevent detection of additional monetization, even if crypto miners’ resource usage is slotted,” the researchers said. “This multi-tiered monetization also increases resilience. Even if crypto miners are detected and removed, the proxy components can remain unaware and ensure the continued revenue of threat actors.”
Datadog said that threat actors who are abusing misconceptions of Docker instances that are publicly available to generate new containers have also observed threat actors whose malicious commands are executed to retrieve and execute additional payloads from external servers.
Modular malware written in GO is equipped with the ability to achieve persistence, perform file system I/O operations, terminate processes, and perform in-memory execution. It also acts as a dropper for GSocket and Iproyal and attempts to propagate to other systems via SSH brute force attacks.
“This demonstrates the willingness of not only CMS providers but threat actors to compromise on diverse services to achieve their goals,” Datadog said.
Source link
